A conventional attack detection system epitomized by an IDS (Intrusion Detection System) determines that an attack against an information system is underway when a single event occurs.
Lately, an attack in which malware takes over a terminal and makes an attack by spoofing the user of the terminal is becoming influential.
Therefore, it is becoming difficult nowadays to determine from a single event that an attack against an information system is underway.
For cases where it is difficult to determine from a single event whether or not an attack is underway, a scheme (for example, Patent Literature 1) has been proposed. This scheme defines an event sequence (attack scenario) which is expected to be caused by a series of attack activities and regards that an attack is underway when events corresponding to the attack scenario occur.
Another scheme (for example, Patent Literature 2) has also been proposed. This scheme defines a logic tree whose root is an attacking phenomenon to be detected and whose node or leaf is a phenomenon which might occur before the attacking phenomenon. This scheme regards that an attack is underway if an attacking phenomenon is satisfied after mapping the phenomena that have occurred, on the logic tree.
Still another scheme (for example, Non-Patent Literature 1) has also been proposed. This scheme defines a precondition and a result for an attack notice from an intrusion detection apparatus. When a plurality of attack notices are raised, if the results of the preceding attack notices satisfy the precondition of the following attack notices, this scheme regards that these attack notices are associated with each other.